Technology Transactions Todayhttps://www.techtransactionstoday.com
Insights, tips and trends in technology transactions from the country’s leading technology lawyersTue, 23 Apr 2019 17:12:28 +0000en-UShourly1https://wordpress.org/?v=4.9.10https://emergingcompanyexchange.foleylardnerblogs.com/wp-content/uploads/sites/5/2018/04/cropped-foley-site-icon-32x32.pngTechnology Transactions Todayhttps://www.techtransactionstoday.com
3232AI is Here to Stay: Are You Prepared?http://feeds.lexblog.com/~r/technologytransactionstoday/~3/FDqYzGU2zqg/
https://www.techtransactionstoday.com/2019/04/15/ai-is-here-to-stay-are-you-prepared/#respondMon, 15 Apr 2019 08:00:03 +0000https://www.techtransactionstoday.com/?p=2403
Machine Learning. Deep Learning. Data Mining. Predictive Analytics. Natural Language Processing. These are the buzzwords used to describe the pivotal artificial intelligence (AI) space. Companies in every industry, from automotive and electronics to financial services, health care and life sciences, are working to deploy these advanced technology methods in order to bring their innovations to...… Continue reading this entry]]>

These are the buzzwords used to describe the pivotal artificial intelligence (AI) space. Companies in every industry, from automotive and electronics to financial services, health care and life sciences, are working to deploy these advanced technology methods in order to bring their innovations to the next level. AI can help pathologists identify diseases, and physicians better assess brain health. It can help bankers automate back-office processes, create more lifelike chatbots, and improve fair lending practices. It can process and collect data more efficiently, protect from cyberattacks, and improve driver safety. As with any disruptive technology, however, this AI race to the moon comes with its share of risks and challenges. Are you prepared to address the various issues that this new technology may bring?

That is just the tip of the iceberg. As one security professional put it: “For large countries, growing and investing in AI is now a matter of national security and longevity. It’s the next natural resource.” Developing AI safely, legally, and efficiently is an uphill battle that — if navigated incorrectly — could result in a disappointing, if not outright dangerous, assortment of missed opportunities, according to Foley & Lardner LLP’s AI Report, which features qualitative research and conversations with startup founders, business executives, and attorneys at Foley working with AI on:

The Dangers of Hype

Access to Quality Data

An Uncertain Regulatory Landscape

The Intellectual Property Conundrum

More Data, More Privacy Concerns

The Double-Edged Sword of Cybersecurity

The Talent Gap

At the end of the day, AI, like all technology, is resolutely human. But that doesn’t mean it can’t improve society. If we seize the AI opportunity thoughtfully — with humanity, ethics, education, testing, and due diligence across organizations and functionalities — perhaps we can, as Michael Campos, research scientist and director of IP at NetraDyne Inc., suggests, “make systems that are a little better than we are.”

]]>https://www.techtransactionstoday.com/2019/04/15/ai-is-here-to-stay-are-you-prepared/feed/0https://www.techtransactionstoday.com/2019/04/15/ai-is-here-to-stay-are-you-prepared/Adoption of Artificial Intelligence in Manufacturing Acceleratinghttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/AK-r8XF5Hyc/
https://www.techtransactionstoday.com/2019/03/20/adoption-of-artificial-intelligence-in-manufacturing-accelerating/#respondWed, 20 Mar 2019 08:00:28 +0000https://www.techtransactionstoday.com/?p=2400
The rapid adoption of Industry 4.0 technologies leaves manufacturers with a choice: accelerate with the market or be left behind. According to a 2019 Global Market Insights, Inc. report, the market for artificial intelligence in manufacturing will grow to $16 billion by 2025. Factors driving the adoption of Industry 4.0, the general name given to...… Continue reading this entry]]>

The rapid adoption of Industry 4.0 technologies leaves manufacturers with a choice: accelerate with the market or be left behind. According to a 2019 Global Market Insights, Inc. report, the market for artificial intelligence in manufacturing will grow to $16 billion by 2025. Factors driving the adoption of Industry 4.0, the general name given to the deployment of cyber-physical systems, Internet-of-Things technologies and cognitive computing in the manufacturing environment, include:

Reducing the cost of operations

Enhancing operational efficiency

Aligning operations with customer requirements

Analyzing processes in real-time

Scaling operations without intensive capital cost

Achieving these goals is supported by two main principles: interconnection and information transparency. Interconnection refers to the ability of machines, devices, sensors and people to connect and communicate with each other. Information transparency provides operators with large amounts of useful information needed to make appropriate decisions. The interconnected nature of machines and systems in an Industry 4.0 environment combined with information transparency allows manufacturers greater insight into the current operating conditions and operational efficiency of the factory. Comparison of operating conditions and health information between machines facilitates just-in-time maintenance. Leveraging that information using big data analytics (perhaps using cloud-based services) will allow manufacturers to gain many advantages, including near-zero downtime. However, the promise of interconnection comes with its own challenges: (1) data security issues are exacerbated by the need to open previously non-existent lines of communication with vendors, partners and customers; and (2) manufacturers may find it harder to maintain the confidentiality of their processes.

Data security is a complicated area. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation requiring that entities notify individuals when security breaches of personally identifiable information occur. While most people will think of financial information when they think of “personally identifiable information,” the reality is that personally identifiable information is broader and may implicate the kinds of information maintained by manufacturers that can be inadvertently disclosed or intentionally targeted by bad actors. Manufacturers need to be aware whether their systems include “personally identifiable information” and where vulnerabilities may exist in their systems. For example, Internet-of-Things-enabled devices can allow outside attackers to compromise equipment. More prosaically, as highlighted in a recent data threat report by Honeywell, USB devices are a major threat to manufacturing and industrial facilities. In addition to being aware of the systems that have been deployed in the factory, manufacturers should also strongly consider having a response plan in place should a breach occur.

Information about machines and sensors, i.e., process line information, may be shared with vendors who process the information on the manufacturer’s behalf to surface actionable insights, partners who will use the information to optimize supply chain operations, or customers so that the manufacturer can provide personalized mass-market products, which can create risk for companies around protecting their trade secrets. When drafting and executing vendor, partnership and customer agreements, manufacturers need to consider carefully what information is being shared, how that information is being shared, and what happens to the information after the agreement expires or terminates. Thought also needs to be given to whether it is likely that either party will generate intellectual property apart from the data during the course of the relationship and how ownership of any such intellectual property will be determined.

Manufacturers who adopt principles of Industry 4.0 while keeping their eye on the legal issues presented by those principles will be well-positioned to succeed in the Fourth Industrial Revolution.

]]>https://www.techtransactionstoday.com/2019/03/20/adoption-of-artificial-intelligence-in-manufacturing-accelerating/feed/0https://www.techtransactionstoday.com/2019/03/20/adoption-of-artificial-intelligence-in-manufacturing-accelerating/Can owning your company's encryption lead to better security?http://feeds.lexblog.com/~r/technologytransactionstoday/~3/fc0bOPCwUNk/
https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/#respondMon, 18 Feb 2019 09:00:39 +0000https://www.techtransactionstoday.com/?p=2397
While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details … I previously wrote several posts about the somewhat dire state of the world with regard to...… Continue reading this entry]]>

While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details …

I previously wrote several posts about the somewhat dire state of the world with regard to information security in vendor and supplier relationships. In particular, I noted the growing trend by vendors to decline material liability for security breaches – even in cases of gross negligence and willful misconduct. I also wrote most recently about how vendors are subcontracting key elements of their services to third party cloud providers and then disclaiming all liability for them. In the past, the vendor would have simply agreed they are responsible for such cloud providers as their subcontractors. Today, however, a number of vendors are taking the position they will assume little or no liability for the cloud providers they choose to use. The foregoing trends have led to a significant diminution in information security protections for businesses in their vendor relationships.

The question before us today is “what can a business do in this new vendor environment to mitigate risk?” The answer is not very palatable. Let’s return to the old and well-worn acronym of “CIA.” It is one of the cornerstones of information security. CIA stands for Confidentiality, Integrity and Availability. In the current vendor environment, it is frequently not possible to achieve all three of these components, but the use of encryption may provide at least a partial solution to two of them: confidentiality and integrity.

Now I am well aware that many vendors offer encryption as part of their services. But, lets look a little closer at exactly what they are offering. The typical conversation with a vendor goes something like the following:

Customer: I am concerned that you are refusing to assume any real liability for data breaches. If there is a breach, your liability is limited to a trivial amount.

Vendor: Do not be concerned at all. We have structured our services so that there is no possibility of a data breach. We use encryption to protect all data stored on our service. In the unlikely event of an unauthorized access, the only thing compromised would be unreadable data. Your data is never placed at risk. It is always protected.

Customer: So you select the encryption algorithm, implement it, and handle key generation and management? Suppose one of those elements is mishandled and our data is breached in unencrypted form? What is your liability?

Vendor: While we certainly stand behind our industry-leading security measures, we don’t assume any heightened liability for failure of those measures. The good news is that our encryption is rock-solid.

Customer: But suppose you are negligent in your choice of encryption methodology and its deployment?

Vendor: That won’t happen. Trust us.

Bottom line: the customer has nothing but the vendor’s best intentions to rely on. If the vendor uses an outdated encryption methodology, fails to implement it properly, or mishandles key generation, they offer no real liability. As a result, the vendor’s offer of industry-leading encryption is, at best, “sales talk.” Businesses cannot rely on it.

What then are businesses to do? The answer is to handle encryption themselves. This allows the business to have greater confidence in the protection of its data. While this cannot be done in every instance for every service, it can be done for many.

There are three approaches:

1. Encrypt on the customer side using encryption means selected by the customer before transmitting data to the vendor.

The problem with this approach is that it generally only works for very rudimentary vendor services (e.g., cloud-based backup systems). It cannot be used for most interactive services furnished by vendors.

2. Encrypt using the growing base of middleware for popular cloud services.

This provides a broader range of services for which the customer can take control of encryption. In addition, many vendors of these middleware applications are willing to assume material liability for security flaws in their products.

3. Find a cloud service where the vendor offers the customer the ability to manage key generation on the customer side.

This is clearly the future and the most seamless means of mitigating risk. Already, several internationally recognized cloud providers are making this option available for some of their core services. I expect to see more vendors doing so in the near future. It is a competitive advantage to offer this functionality.

An issue closely related to encryption and one that is often overlooked is secure destruction of data on termination of the vendor contract. All too often, this key issue is relegated to a sentence along the following lines: “On termination of this Agreement, Vendor will delete the customer data.” Certainly, this is short on detail. If only a few words can be changed, we would recommend making clear the deletion must be “secure and irrevocable.” A better practice, however, is to expressly reference one or more of the recognized standards in the industry for destruction. For example:

On termination of this Agreement, Vendor shall ensure all Client Confidential Information has been “scrubbed” and irretrievably deleted from its systems and records using methods consistent with best industry practices (i.e., at least as protective as the DoD 5220-22-M Standard, NIST Special Publication 800-88, Guidelines for Media Sanitization, or NAID standards).

Note that in some industries there are clear preferences for one of these destruction methods over the others. Make sure to reference the appropriate standard.

While the current vendor environment clearly poses significant challenges and risks to businesses entrusting them with their data, use of encryption can, at least in many cases, materially mitigate that risk. The devil, however, is in the details. If the vendor controls the process and refuses any real liability for any flaws in that process, then the customer will have little additional protection. If, on the other hand, the customer can have a hand in controlling that process, far greater protection can be achieved.

]]>https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/feed/0https://www.techtransactionstoday.com/2019/02/18/can-owning-your-companys-encryption-lead-to-better-security/Biometric Privacy: Illinois Supreme Court Decision Allows Claims to Proceed Without Showing of Actual Harmhttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/n5qU7Hi45ZU/
https://www.techtransactionstoday.com/2019/02/04/biometric-privacy-illinois-supreme-court-decision-allows-claims-to-proceed-without-showing-of-actual-harm/#respondMon, 04 Feb 2019 09:00:56 +0000https://www.techtransactionstoday.com/?p=2393
On January 25, 2019, the Illinois Supreme Court handed down a key ruling that will make it significantly easier for consumers and workers to sue and recover damages for mere non-compliance with the requirements of the state’s Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA or Act). In its highly anticipated decision in...… Continue reading this entry]]>

On January 25, 2019, the Illinois Supreme Court handed down a key ruling that will make it significantly easier for consumers and workers to sue and recover damages for mere non-compliance with the requirements of the state’s Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA or Act). In its highly anticipated decision in Rosenbach v. Six Flags Entertainment Corp., the state’s high court unanimously held that actual harm is not required to bring an actionable claim under BIPA, and that a violation of BIPA’s technical requirements alone can support a cause of action under the Act. Thus, an individual who merely alleges a technical violation of BIPA is sufficiently “aggrieved” under the Act—with statutory standing to sue for significant statutory damages and injunctive relief—even if that person suffered no actual injury or harm as a result of the violation.

The Illinois Supreme Court’s ruling comes as welcome news to plaintiffs’ attorneys, who will now have fewer impediments to pursue no-injury class action lawsuits under BIPA, which allows for recovery of statutory damages of up to $5,000 for each violation, and attorneys’ fees and costs.

What is BIPA?

When BIPA took effect in 2008, Illinois became the first state to enact a biometric privacy law regulating the collection, use, and storage of “biometric identifiers,”[1] such as fingerprints, voiceprints, iris or retina scans and scans of hand or face geometry, as well as other “biometric information” based on those identifiers to the extent used to identify an individual (collectively, “biometric data”). Although three other states have since passed similar laws, BIPA remains the only one that grants individuals a private right of action—the right to sue and seek damages or injunctive relief for statutory violations.

BIPA does not prohibit the collection or purchase of biometric data. Instead, BIPA provides standards of conduct for private entities (including employers) collecting and maintaining such data, and also places several restrictions and affirmative obligations, including the following:

Notice and Consent. BIPA prohibits any company from collecting biometric data until it:

informs the person (or their legally authorized representative) in writing if their biometric data is being collected or stored, and the specific purpose and length of time for which that data is being collected, stored, and used; and also

obtains a written release executed by the person or representative permitting them to do so.

Written Policy. Entities must develop and adhere to a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying the biometric data when the initial purpose for collecting them has been satisfied or within three years of the individual’s interaction with the entity, whichever occurs first.

Standard of Care. Companies should use a “reasonable standard of care” within their industry, and in a manner that is the same as or more protective than the manner in which the business stores, transmits and protects other confidential and sensitive information.

Disclosures to Third Parties. BIPA forbids the sale, lease, or profit from the biometric data and prohibits its disclosure except in narrow circumstances (such as with the person’s consent).

Unlike the two other states that have enacted biometric privacy laws, BIPA is the only one that creates a private right of action for any person “aggrieved” by a violation of the Act – meaning that individuals have the right to personally sue and seek statutory remedies based on an entity’s infringement of BIPA’s requirements. As noted above, non-compliance results in steep damages, including the greater of actual damages or liquidated damages of $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation.

Due to the increasingly popular use of biometric data and the potentially significant liquidated damages offered by the statute, the number of BIPA class action claims filed against companies for their allegedly improper collection of biometric data has ballooned in recent years. Plaintiffs in these cases have generally fallen into two categories: (1) employees of companies that allegedly utilize biometric data, such as fingerprints, for time keeping or physical security purposes; and (2) customers of companies that use biometric data to enhance the consumer experience.

Facts of the Case

The Rosenbach plaintiff fell into this second group. The plaintiff—on behalf of her minor son, a customer of Six Flags—sued Six Flags after her son registered for a season pass at the amusement park. Six Flags allegedly captured the thumbprints of season pass holders to facilitate entry into the park and limit loss from the unauthorized use of passes by non-pass-holders. In her suit against Six Flags, the plaintiff alleged that Six Flags violated BIPA by capturing her son’s thumbprint without first providing written notice, obtaining written consent, and publishing a policy explaining how her son’s thumbprint would be used, retained, and destroyed. She alleged no actual harm beyond the violation of BIPA’s requirements.

Procedural History

Following a motion to dismiss by Six Flags, two questions were certified for interlocutory appeal to the Second District Appellate Court. Both turned on whether an individual is “aggrieved” under BIPA, and thus potentially eligible for statutory remedies, when the only injury alleged is that the defendant collected the plaintiff’s biometric data without providing the required disclosures and obtaining the plaintiff’s written consent as required by the Act.

The Second District Appellate Court answered this question in the negative, holding that a claim is not sufficient if the defendant merely violated a technical requirement of the Act, and that a plaintiff must allege actual harm in order be deemed “aggrieved by a violation” of BIPA.

The Illinois Supreme Court’s Decision

Upon further appeal, the Illinois Supreme Court reversed. Although the plaintiff was not able to prove that her son’s biometric data was stolen or misused, a unanimous court ruled that the plaintiff is “aggrieved” under BIPA even in the absence of an allegation of actual injury caused by the statutory violation.

In reaching its decision, the court first looked to the legislative intent, explaining that the Act vests in individuals and customers the right to control their biometric data by requiring notice before collection and giving them the power to say no by withholding consent. The court viewed these procedural protections as particularly critical in our digital world because technology permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised. To this point, the court stated that “[w]hen a private entity fails to adhere to the statutory procedures…the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere ‘technicality.’ The injury is real and significant.”

The court also showed little patience for employers and businesses that misuse biometric data. According to the chief justice of the court: “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

Looking Ahead

For the past decade, BIPA has become a heavily litigated piece of legislation that has involved class action lawsuits for high-profile companies. BIPA impacts a variety of entities (inclusive of, but not limited to, hospitals, providers, and pharmaceutical and device companies, as well as employers that utilize biometric time clocks to record employees working hours or use biometrics for security or identity verification) and many continue to seek guidance on the interpretation of BIPA and how to effectively comply with it. Questions remain as to the applicability of BIPA in many fields, and how entities may operate so as to ensure compliance with same in such instances of uncertainty.

To avoid exposure to lawsuits under BIPA, any entity with Illinois employees or that operates in Illinois and collects, stores or uses biometric identifiers or information, whether that of its employees or its customers, guests, visitors, they must ensure that they adopt and implement written policies and procedures regarding their collection, retention, disclosure and destruction of this data to ensure that they are sufficient to comply with the strict standards and requirements of BIPA. Having these policies by themselves, however, is not enough. It is critical that entities, especially in an employer/employee context, provide notice to individuals that their biometric information is being collected, stored, and/or used. For employers, this can be part of the onboarding process, where a signed affirmation of receipt of the notice can be made a condition of employment. Doing so will help secure a strong defense to any claim that an employee lacked adequate BIPA notice. Developing policies and procedures that place individuals on notice of an entity’s collection/storage and use of biometric information is especially critical in light of the new precedent set by the Illinois Supreme Court which opens the doors for more than 200 pending similar cases filed under the statute that accuse other businesses, including hotels and research entities, of violating BIPA for collecting biometric data without the accompanying disclosures or written consent. In addition, entities that do, or will have a need to, possess biometric data should immediately take steps to evaluate their need for collecting such information, and assess whether there is an alternative way to accomplish business objectives without possessing this data. If it is determined that biometric identifiers must be used, entities should have a clear understanding of how their biometric software works. Organizations should consider agreements with third-party vendors outlining the vendor’s responsibilities that at least certifies the vendor will comply with all applicable laws, and that the vendor will not disclose the information to third parties without written consent.

—————————

[1] This term does not include signatures, photographs, physical descriptions or biological materials used for medical or scientific purposes.

]]>https://www.techtransactionstoday.com/2019/02/04/biometric-privacy-illinois-supreme-court-decision-allows-claims-to-proceed-without-showing-of-actual-harm/feed/0https://www.techtransactionstoday.com/2019/02/04/biometric-privacy-illinois-supreme-court-decision-allows-claims-to-proceed-without-showing-of-actual-harm/Blockchain — Not Bitcoin — in Bankruptcyhttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/GiEDErpULhc/
https://www.techtransactionstoday.com/2019/01/28/blockchain-not-bitcoin-in-bankruptcy/#respondMon, 28 Jan 2019 09:00:23 +0000https://www.techtransactionstoday.com/?p=2391
In the past several weeks, we have seen an uptick in crypto-related insolvencies; most recently Giga Watt, a Bitcoin-mining firm, filed for chapter 11 relief in the Eastern District of Washington. Often, the questions arising out of a crypto-related bankruptcy revolve around the value of Bitcoin or other cryptocurrency. However, while cryptocurrency is certainly how...… Continue reading this entry]]>

In the past several weeks, we have seen an uptick in crypto-related insolvencies; most recently Giga Watt, a Bitcoin-mining firm, filed for chapter 11 relief in the Eastern District of Washington. Often, the questions arising out of a crypto-related bankruptcy revolve around the value of Bitcoin or other cryptocurrency. However, while cryptocurrency is certainly how blockchain technology was first deployed, it is by no means its only utility. For example, in the organics food industry, retail giants like Walmart have employed blockchain technology to shore up their supply chains. If there is a need to identify precisely from where a SKU of organic lettuce was sourced, blockchain technology now affords Walmart the ability to do so in a matter of seconds instead of days.[1] Thus, while often discussed in connection with Bitcoin, blockchain technology in the bankruptcy context is not exclusively a conversation about a bitcoin’s worth.

What Is Blockchain Technology?

A blockchain is an “incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value.”[2] Digital data is recorded in “blocks,” each of which is assigned a unique “hash.” The hash serves as an identifying “seal” that ensures that the data on the block have not been tampered with. Each block also contains on it the hash of the preceding block, which is what allows for the formation of a “chain.” If one attempts to change the data residing on a given block, a new hash will be generated for that block and the chain will be broken, since the hash of the block coming after the tampered block will no longer reflect the correct hash. This is what makes a blockchain so difficult to “hack.”

A key attribute of a blockchain is that the data is shared or “distributed.” Imagine a spreadsheet containing digital data (a digital ledger) that is duplicated thousands of times and distributed to numerous different computers on a vast network. A copy of that spreadsheet is updated every time a single item is changed. The new version of the spreadsheet is redistributed to those computers—each of which stores its own copy of the same spreadsheet, including every version of that spreadsheet from its creation. Because each computer on the network stores its own copies of every single historical version of the entire spreadsheet, there is no one “central” repository or administrator of the data. Rather, the distributed ledger is “decentralized.”

Let’s apply the above analogy to Bitcoin. Think of the Bitcoin blockchain as a very large spreadsheet that contains all Bitcoin transactions. If Company A wishes to transfer to Company B 10 bitcoins, it will publish its intention to do so in the bitcoin network. The network of computers will then go to work: They will verify numerous items, including (1) Company A’s identity (by checking its public key — a unique identifier that serves as a digital “signature”), (2) that Company A has at least 10 bitcoins, and (3) the identity of Company B.

What blockchain technology permits is the removal of the “central administrator.” There is no “bank” that confirms that Company A has enough coins to transfer to Company B, and that the parties to the proposed transaction are who they say they are. Rather, the transaction is completely self-executing and relies on technology for the security that is often times taken for granted when dealing with banks, escrow agents and other financial institutions that facilitate these transactions — at a cost (e.g., fees, human error and fraud, to name just a few).

Potential Uses of Blockchain Technology in the Bankruptcy Process

If the purported benefit of blockchain technology is “cutting out the middle man,” its potential for use in the bankruptcy context is readily apparent.

Auctions

The auction of a debtor’s assets under 11 U.S.C. § 363 can involve numerous parties: the debtor (i.e., the seller), potential buyers (qualified bidders), the debtor’s secured lender, the stalking-horse bidder, the U.S. Trustee’s office and, of course, the auctioneer retained to oversee the auction. Sale-procedure motions are often replete with terms aimed at winnowing down the herd of potential buyers by requiring that they meet a minimum threshold bid, produce the requisite documentation, possess a certain level of capital or provide other proof of financial wherewithal to purchase the proposed assets. Typically, estate professionals are tasked with reviewing sometimes thousands of bids to determine which of them are “qualified” to participate in the auction. Once the auction commences, estate professionals must assess not just the eligibility of each incoming bid, but its order in the sequence of bids.

Blockchain technology could streamline this process by automating portions, if not the entirety of, the auction process — i.e., by cutting out the “middleman.” The debtor, the stalking-horse bidder, the debtor’s lender and any other parties in interest can agree to the parameters of the auction process and, once approved by the bankruptcy court, build a blockchain environment based on those parameters. In lieu of professionals, computers on the network would verify a proposed bid to check, among other things, whether the bid is a “qualified bid” under those pre-approved rules. Each bid, once accepted onto the blockchain, would be stamped with a hash so that its position in the relative order would be incorruptibly established.

With computers — not humans — deciding whether a bid gets through the door and into the auction will reassure potential bidders that each bid will be treated equally. There can be no preferential treatment because so-and-so knows someone in the debtor’s C-Suite. There will be no human error, either — such as a bid that sits too long on an assistant’s desk while the lawyer is on trial and thus does not get time-stamped or the wrong dollar figure being entered onto the auctioneer’s spreadsheet. These types of inherent flaws in the existing system can deter otherwise-qualified bids that could otherwise maximize value for chapter 11 estate.

Claims Administration

Blockchain technology can be employed throughout the entire claims-administration process, from the creation of the claims registry to distribution to allowed claimholders. Virtually every large or complex chapter 11 case issues dozens of the same omnibus objections: “Objection to Time-Barred Claims” and “Objections to Duplicate Claims.” Rather than having professionals tasked with sifting through thousands of claims to determine whether they are time-barred or duplicative, the technology can verify that the claim is timely and nonduplicative before recording the claim onto the blockchain. As with the example described above, there is no human error or human “compulsion” that comes into play. All potential claimants are treated equally on the blockchain. Similarly, once the bankruptcy court confirms a chapter 11 plan outlining what constitutes an “allowed claim,” the priority scheme of such claims and the distribution mechanisms, all of those parameters can be programmed into the blockchain to ensure a timely and automated distribution process.

Because the blockchain is a decentralized network, all parties-in-interest (i.e., those who have requested notice) can be given access to the blockchain to see for themselves which transactions have been recorded. Notice parameters can be built in such that any “rejections” can trigger the generation of a notice of rejection (which could, in turn, cause the debtor’s professionals to file an objection). Indeed, these potential benefits in the context of claims administration is why blockchain technology appears to be particularly alluring to the insurance industry.

Vote Tabulation

Given the vaunted security of blockchain technology, it is no surprise that states have viewed its potential for fighting election tampering and low voter participation. West Virginia offered mobile blockchain voting applications for overseas votes in the past November 2018 election for this exact reason.[3] A similar concept can be applied to the voting process under 11 U.S.C. § 1126. For example, one of the rules programmed into the blockchain could be that a vote can only be counted if it is an “allowed claim” under 11 U.S.C. § 502. In other words, if an objection has been lodged against the claimant attempting to cast a vote, the vote will be rejected. As with the sale process and claims administration, blockchain technology has the potential to alleviate some of the inherent inefficiencies of vote-tabulation under the current system.

Conclusion

Blockchain is not just a tool for fancy new currencies. It is a technology that can be employed in any context involving large amounts data. The bankruptcy process is no exception, so practitioners and professionals alike would be well-served by keeping an eye on how a blockchain might play a role in a bankruptcy court near you.

]]>https://www.techtransactionstoday.com/2019/01/28/blockchain-not-bitcoin-in-bankruptcy/feed/0https://www.techtransactionstoday.com/2019/01/28/blockchain-not-bitcoin-in-bankruptcy/The End of Security as We Know Ithttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/qtb61-r55t8/
https://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/#respondTue, 11 Dec 2018 16:59:09 +0000https://www.techtransactionstoday.com/?p=2389
If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end. Consider the “old-way”: Your company decides to engage a vendor to...… Continue reading this entry]]>

If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end.

Consider the “old-way”: Your company decides to engage a vendor to provide services or products in which the vendor will have possession of, hosting of, access to, or other use of your sensitive data or interaction with your production systems. In those cases, a prudent company would do three things to address information security. First, they would conduct due diligence of the vendor’s security practices, including past security incidents, compliance with recognized security standards, security policy review, etc. Second, they would include specific, strong protections in their contract with the vendor addressing the vendor’s obligations with regard to security, including service level obligations to ensure the availability of critical data. Finally, a prudent company would conduct post-contract execution audits and inspections to ensure the security requirements in the agreement are being followed.

These three approaches to mitigating security risks in vendor agreements form an integrated whole and reflect best industry practices: diligence, contract requirements, and post-contract policing.

These three approaches to mitigating risk form the cornerstone for businesses to show they have been diligent and acted reasonably in addressing security risks in vendor contracts.

These three approaches to mitigating risk are the primary means by which a business can respond to and defend itself against a regulatory investigation in the event of a security breach.

Now, imagine the new emerging paradigm – a paradigm in which you are not able to implement any of the foregoing approaches to mitigating risk. You cannot conduct diligence, you have no means of achieving required contractual protections, and you are denied post-contract policing. Consider, further, that these are not small engagements, but engagements involving hundreds of thousands, if not millions of dollars in fees.

Let me be more specific about the disturbing trend I am describing. In particular, consider the case of one well known cloud provider. Let’s call them “ABC”. Their new approach to contracting involves the following: ABC reserves the right, without customer approval or notice, to subcontract performance to any number of third-party hosts or other providers to perform some or all of the key data hosting, security, and other operations comprising ABC’s services. Let’s call the third-party hosts and other providers, the “Subcontractors.” ABC can change the Subcontractors at will. Now if we were still operating under the “old way,” ABC would readily agree, at minimum, that it is responsible for the actions of its Subcontractors and any failure by a Subcontractor would constitute a failure by ABC.

But this isn’t the old way. Instead, ABC takes the unprecedented approach of stating that, in fact, it assumes no liability or responsibility for the Subcontractors it has chosen. Moreover, it states to the extent there are any protections at all, it refers the customer to the online form agreements available from the Subcontractors. The flaw in this approach is that ABC’s customer is not a party to those online agreements. So, while those agreements may be interesting, the customer has no means of enforcing them against the Subcontractors. Only ABC has that right. Only ABC is actually in contract with the Subcontractors.

What Is the End Result of the Foregoing?

First, ABC’s customer has very limited ability to conduct diligence of ABC’s Subcontractors. The customer is limited to perusing generic online information made available generally by the Subcontractors to those visiting their web sites. Even if the customer could conduct meaningful diligence, it would be of little real use because ABC can change the Subcontractors at-will and the Subcontractors can change all or any part of the online information at any time.

Second, if the Subcontractor fails to perform (e.g., it is a host and the service for which the customer is paying ABC fees is never available for access due to SLA failures at the Subcontractor) or suffers a major data breach, ABC assumes no responsibility and ABC’s customer has no remedy. In both cases, the customer is left without the ability to hold either ABC or the Subcontractor accountable for the failure. Worse yet, the customer will likely have no means of declaring a breach of its agreement with ABC and unable to terminate the agreement. The customer is left continuing to pay for a service that is, at best, non-conforming or, at worst, creating liability due to a data breach or other mishandling of information.

Finally, because the customer has no contractual rights against the Subcontractors, it has no audit or other rights to ensure the Subcontractor is adequately protecting its information and systems. Even if it had those rights, it has no means of forcing the Subcontractor to correct any identified non-conformances or deficiencies.

To review:

The customer has little or no ability to conduct meaningful diligence of the Subcontractors;

The customer has no contract with the subcontractor, so it cannot enforce its rights against the Subcontractor;

ABC is refusing any responsibility for its choice of Subcontractors;

ABC can change the Subcontractors at will;

ABC can use this approach to outsource the entirety of its operations and avoid any material responsibility for its services;

Even if ABC retains certain performance obligations, in the event of a failure or breach, ABC is likely to point a finger at the Subcontractor and vice versa as the source of the issue; and

The customer has no means of conducting post-contract assessments and audits of the Subcontractors.

The result: the end of information security as we know it.

What is truly remarkable is that ABC insists its approach is entirely reasonable and entirely consistent with industry practice. Thankfully, they are incorrect. The overwhelming majority of vendors continue the “old way,” rightfully assuming responsibility for the subcontractors they select. Let’s hope that continues.

In the meantime, beware of vendors who attempt to abdicate their responsibility to unnamed third-party contractors. Proceeding with an engagement of that kind means you are, at best, assuming an unqualified obligation to pay for a service that need never be provided and, at worst, a compliance nightmare. Consider having to explain to a regulator or plaintiff in a class action that you entrusted highly sensitive data to a vendor only to have that vendor hand off the data to a third party for whom the vendor assumed no real responsibility and with whom you have no contract. That will be a difficult conversation.

]]>https://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/feed/0https://www.techtransactionstoday.com/2018/12/11/the-end-of-security-as-we-know-it/Strategies for Protecting Against Vendor Payment Fraudhttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/1YljrFUYpvQ/
https://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/#respondMon, 15 Oct 2018 08:00:36 +0000https://www.techtransactionstoday.com/?p=2384
Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing...… Continue reading this entry]]>

Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing the account payment information. The exact means by which vendor payment fraud schemes are perpetrated can take many forms. However, the most sophisticated and hardest to detect schemes often involve “hacking” into the vendor’s systems and sending a seemingly legitimate email or other instruction directing the change.

Unless properly protected against, vendor payment fraud leaves the manufacturer facing an angry supplier that has not received payment, despite the fact that the manufacturer is out of pocket for money still claimed by the supplier. Manufacturers often must face the difficult choice of making double payments or risking supply disruptions.

It is impossible to eliminate all risks posed by cybercrime. However, there are certain simple steps that manufacturers can take to mitigate the risk posed by vendor payment fraud schemes:

Train and Advise Employees Regarding the Risk

The first line of defense for avoiding vendor payment fraud (and many other kinds of fraud) is a vigilant, well-trained, work force. Most individuals are wary of unsolicited emails concerning their own personal finances. That same level of caution is not always present when dealing with work-related matters. Employees should be made aware of potential fraudulent schemes and should employ a healthy level of skepticism regarding any suspicious or unexpected emails seeking to change existing payment instructions.

Verify Changes to Payment Instructions

Many payment fraud schemes can be avoided by a policy requiring that any change in payment instructions received electronically be verified through a phone call to the appropriate supplier contact person, or other form of manual verification. In cases in which manual verification for all changes may not be practical, requiring verification for suppliers over a designated annual spend still can go a long way toward risk mitigation.

Include Appropriate Contractual Protections

Manufacturers should seek to include provisions in their contracts addressing cybersecurity issues. At a minimum, manufacturers should require that all suppliers and vendors employ appropriate measures to protect their systems from unauthorized access. In particular, manufacturers should include provisions in their contracts to expressly provide that suppliers are responsible for the integrity of their own systems and bear the risk of any lost or misdirected payment resulting from a breach.

Employ Appropriate Security for Internal Systems

Finally, manufacturers should ensure that their own systems are properly protected. Employing such protections is a sound business practice for many reasons. In the context of a vendor payment fraud issue, it will be difficult for a manufacturer to argue that a vendor should have employed better security, and therefore should be responsible for a loss, if the manufacturer does not employ the same or equivalent protective measures for its own systems.

The risks posed by vendor payment fraud and other forms of cybercrime are not going away any time soon, and are likely to increase. Manufacturers should take steps to mitigate the risks posed by these issues before they become a victim.

]]>https://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/feed/0https://www.techtransactionstoday.com/2018/10/15/strategies-for-protecting-against-vendor-payment-fraud/Have Electric Scooters Pushed Cities Too Far? http://feeds.lexblog.com/~r/technologytransactionstoday/~3/acJI3ijzgVA/
https://www.techtransactionstoday.com/2018/09/24/have-electric-scooters-pushed-cities-too-far/#respondMon, 24 Sep 2018 08:00:53 +0000https://www.techtransactionstoday.com/?p=2380
In our May 31 article, “Scooters – The Next Mobility Wave”, we talked about how electric scooters such as Lime, Bird, and Spin have been taking cities by storm. We noted how they are many times met with enthusiasm by the younger and more adventurous residents who can easily find a scooter using an app...… Continue reading this entry]]>

In our May 31 article, “Scooters – The Next Mobility Wave”, we talked about how electric scooters such as Lime, Bird, and Spin have been taking cities by storm. We noted how they are many times met with enthusiasm by the younger and more adventurous residents who can easily find a scooter using an app on their phone, unlock it by scanning a code on the handle, and off they go. On the other hand, cities and municipalities, are cautious to embrace the new technology (sound familiar?), frequently at the behest of the older or less technologically adept residents. Often, these cities cite a host of problems, including pedestrian injuries, people riding on sidewalks, riders not wearing helmets and unused scooters blocking walkways and critical access to curb space. Across the country, cities’ approaches to handing these new forms of transit have been mixed, at best, and convoluted at worst.

In many cities, these scooters are dropped off in the dark of the night, appearing with the morning dew, without warning or an offer of assistance to cities or the residents. As a result, it’s been the Wild West for the adventurous scooter pioneers, navigating potholed streets and pedestrian laden sidewalks as these scooters hit speeds close to 15 mph. Scooter companies have, in many instances, hoped cities will simply accept these new transit devices into the fabric of their urban infrastructure without much of a fight. But, cities have been fighting back and now scooter companies are starting to take notice.

In Ann Arbor, Mi, the city council provided Bird with notice that their scooters currently violate city ordinances that prohibit the use of electric scooters on sidewalks and in bike-specific travel lanes, but noted that they are allowed on streets up against the right-most curb. That said, an Ann Arbor spokeswoman told the Detroit Free Press that “the scooters’ very essence violated a city ordinance [noting that] motorized vehicles cannot be used on sidewalks or impede public right-of-way.” The spokeswoman continued by noting that “Scooters also cannot be parked on roads, sidewalks or bike paths and must be clear from driveways, access ramps and fire hydrants.” As a result, the city has taken the approach of confiscating any scooter currently left in the city, and locking them in a secured trailer on city property.

Similarly, in June and July of this year, the city of Indianapolis sent cease and desist letters to Bird and Lime regarding scooter operations in the city. Indianapolis, rather than outright confiscating the scooters opted to pursue a licensing, stating that is illegal for any scooter company to operate within city limits without a license. While Lime complied with the cease and desist letter within two days, pulling all scooters off the street, Bird waited almost 3 weeks before complying. Moving forward, although Bird notes that “[t]he people of Indianapolis have enthusiastically embraced shared electric scooters,” the city says they will “consider, among other factors, the extent to which the applicant’s operations or the use of the applicant’s Shared Mobility Devices have complied with current law” when considering the approval of a permit, on top of the $15,000 annual licensing fee required.

After experiencing the trials and tribulations opening shop in the “dark of night”, scooter companies are starting to realize creating less issues for cities is likely better than hoping they can simply be ignored. In an attempt to tackle the issues of dangerous and reckless riders, Bird is looking at new technology to keep riders honest and accountable. In San Diego, Bird has partnered with the city to share data on riding habits and now allows consumers to report dangerous riders in the Bird app. Bird and Lime have also looked into modifying the GPS components of the scooters to regulate speeds or disable scooters entirely when entering into high traffic areas. For example, San Diego is considering such limitations on riverwalks and boardwalks where the scooter can be regulated down to a safe speed or stopped entirely, until the rider leaves a pre-determined geofenced area. Additionally, these companies are looking into technologies that can assist with sensing when a scooter is being used on sidewalks, based on certain changes ride conditions, and encourage riders to use roads to avoid pedestrians and congestion.

]]>https://www.techtransactionstoday.com/2018/09/24/have-electric-scooters-pushed-cities-too-far/feed/0https://www.techtransactionstoday.com/2018/09/24/have-electric-scooters-pushed-cities-too-far/3D Printing Continues Making Inroads in Auto Industryhttp://feeds.lexblog.com/~r/technologytransactionstoday/~3/1MLuIwucnsQ/
https://www.techtransactionstoday.com/2018/09/20/3d-printing-continues-making-inroads-in-auto-industry/#respondThu, 20 Sep 2018 08:00:25 +0000https://www.techtransactionstoday.com/?p=2377
Additive manufacturing (aka 3D printing) has long been a growing part of the auto industry. Companies started out using 3D printing for prototypes and small batch production. As technology advanced, the role of 3D printing is rapidly increasing. This week, several major players in the auto industry announced new developments for the role of 3D...… Continue reading this entry]]>

Additive manufacturing (aka 3D printing) has long been a growing part of the auto industry. Companies started out using 3D printing for prototypes and small batch production. As technology advanced, the role of 3D printing is rapidly increasing. This week, several major players in the auto industry announced new developments for the role of 3D printing in the industry. HP unveiled its “Metal Jet” 3D printers, which it describes as 50 times more productive, with lower operating and purchase costs than existing technology. HP has already partnered with suppliers in the auto industry on the technology, and GKN Powder Metallurgy is already using the printers in its factories.

VW is an early adopter of the Metal Jet, and its personalized gear shift knobs are already being printed using the Metal Jet. This week, VW announced additional plans to increase its 3D printing to further integrate printed parts into its overall manufacturing. VW is aiming for 100,000 printed parts in its supply chain each year.

VW has a history of pioneering in 3D printing. VW started 3D printing in 2014 in its Autoeuropa plant in Portugal, and in 2017, its related case study on 3D printed tooling that won awards throughout the world. And it has already had success with the Metal Jet run, according to the announcements this week. With the Metal Jet, VW did not need custom tooling for its personalized gear shift knobs, and it’s saving VW lead times and manufacturing costs.

As detailed in Deloitte’s Additive Manufacturing series, 3D printing has a long term growth trajectory in the auto industry. It presents opportunities for faster innovation in the industry, and faster time to market with changes. How far 3D printing will infiltrate the existing supply chain—and its limitations–has yet to be seen, but in August, Global Markets Insights, Inc. released a report projecting additive manufacturing, in the automotive market would exceed $8 billion by 2024. For now, HP, VW, and similar companies are leading the charge on making 3D printing part of their standard manufacturing process.

]]>https://www.techtransactionstoday.com/2018/09/20/3d-printing-continues-making-inroads-in-auto-industry/feed/0https://www.techtransactionstoday.com/2018/09/20/3d-printing-continues-making-inroads-in-auto-industry/Is California’s Consumer Privacy Act of 2018 going to be GDPR version 2?http://feeds.lexblog.com/~r/technologytransactionstoday/~3/FTtXYn9WpVA/
https://www.techtransactionstoday.com/2018/09/06/is-californias-consumer-privacy-act-of-2018-going-to-be-gdpr-version-2/#respondThu, 06 Sep 2018 08:00:40 +0000https://www.techtransactionstoday.com/?p=2374
While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue...… Continue reading this entry]]>

While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue or data collection volume triggers and that collects or sells information about California residents.

Applicability to businesses

The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (“GDPR”).

The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) has annual gross revenues in excess of $25,000,000; (b) annually processes the personal information of 50,000 or more California residents, households, or devices; or (c) derives at least half of its gross revenue from the sale of personal information. Thus, CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.

Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (the “CMIA”) or HIPAA; the sale of information from or to a consumer reporting agency if the information is used as part of a consumer report and used in compliance with the Fair Credit Reporting Act (“FCRA”); and only to the extent CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or to the Driver’s Privacy Protection Act (“DPPA”).

Requirements of CCPA

As currently enacted, the law dramatically increases consumers’ rights of access and control over how their personal information is collected, used, sold and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:

Right to Personal Information Collected by Businesses: Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources and business or commercial purposes of that personal information.

Right to Erase Personal Information: Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the personal information is no longer needed.

Right of Opt-Out: Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information,” link on the business’ home page.

Opt-In Requirement for Minors: Businesses are prohibited from selling the personal information of consumers whom the business has actual knowledge are under 16 years old without theirs or their parents’ opt-in consent.

Prohibits Waiver and Retaliation by Businesses: Waivers of consumer rights and remedies under CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or charging or suggesting different prices or rates for goods and services.

Increased Transparency: Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

Enforcement

Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules and other regulations necessary to establish compliance or in furtherance of CCPA’s purposes. Technology companies have strongly opposed CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.

The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.

The CCPA also provides a private right of action for consumers whose nonencrypted and nonredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of CCPA could be the basis to assert class actions.

Impact on businesses

Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation of the CCPA’s implementation:

Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.

Review internal policies and procedures to be able to appropriately respond to consumer’s requests for access, deletion, or information related to the sale or disclosure of their personal information.

Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify their identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.

Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.

Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.

Begin preparing training materials and planning for training all personnel who are responsible for handling personal information consumer inquiries.

Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with CCPA and conducting those audits through legal counsel to support the position the results are covered by the attorney-client privilege.